-
Notifications
You must be signed in to change notification settings - Fork 20
OpenSSL Debugging Hints
Here is a short list of some OpenSSL debugging hints and examples.
echo | openssl s_client -connect example.com:443
This will connect to the server and display the SSL details, like the certificate details, certificate chain, used encryption, verification result, etc.
Use the -servername example.com option if the server is a virtual host and uses several SSL certificates for the same IP, this will use SNI.
Use -CAfile cert.pem option with if you have a custom certificate, you can verify that the connection to the server works using the specific certicate.
The previous command also dumps the certificate (in PEM format), you can either manually extract it from the out put or you can use this sed commanf:
echo | openssl s_client -connect example.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
openssl x509 -in cert.pem -text -noout
This displays the certificate details in a human readable format.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
The OpenSSL tool will ask for some input data interactively, like the organization name, your location, etc. For testing purposes it does not matter what you enter, feel free to use any values.
The only important value is the certificate subject, you must use the server host name otherwise the SSL verification will fail. You might even use localhost if you use the service only locally via the https://localhost address.
ruby -r webrick/https -e 'WEBrick::HTTPServer.new(Port: 8000, DocumentRoot: ".", SSLEnable: true, SSLCertificate: OpenSSL::X509::Certificate.new(File.read("cert.pem")), SSLPrivateKey: OpenSSL::PKey::RSA.new(File.read("key.pem"))).start'
openssl s_server -key key.pem -cert cert.pem -accept 9000 -www
curl --cacert cert.pem https://localhost:9000
If you want to verify the SSL connection to the server using a custom SSL certificate.